Stakes are high in risk management. The mere existence of the three lines of defense (“3LOD”) is not enough. While a variety of functions across a financial institution are responsible for assuring that risks are appropriately assessed, mitigated, monitored, and managed, no formally appointed coordinator centralizes the objectives of each of the assurance functions. Without centralized coordination, organizations are vulnerable to duplicative efforts or missed coverage—and the resource inefficiencies they create.
Assurance maps provide a tool for centralizing risk identification and assessment. By mapping the various risk management and testing activities performed by the 3LOD in relation to priority risks, assurance maps help answer the question, “What are we missing?”
Identify an executive sponsor who will support collaboration and coordination, and executive-level risk owners for each major risk category. The risk and assurance map should be “personal” to each owner, particularly if the successful execution of his or her strategic objectives is at risk.
Determine the scope and desired level of assurance. Start small, targeting one key strategic objective, strategic risk, or emerging risk.
Identify the relevant assurance providers and agree on appropriate timing for constructing the assurance map.
Agree on or build common tools. Leverage common terminology for defining products and services, processes, risks, and controls; employ a common risk assessment and issue rating methodology; and integrate or align platforms for workflow, data analysis, and reporting. Simplicity is important. Avoid jargon.
Identify the current and expected assurance activities and assess for quality (depth, frequency, etc.).
Analyze the results and determine next steps to address any issues (gaps, duplication, etc.).
Meet frequently to reassess the scope, coverage and risks.
Controls Testing & Monitoring Leader - Financial Services, PwC US
Director, Internal Audit, Compliance & Risk Management Solutions, PwC US